Making an ODBC connection when impersonating an user using Kerberos authentication

Question

My client application/browser authenticates against my server using Kerberos. The server runs Apache/Tomcat, and it talks to my service which runs on the server. My service can distribute work to another service on a different machine, so we will need to set up constrained delegation. My service on the server (on the server machine or the other machine) needs to talk to a SQL Server database using ODBC. I want to impersonate the end user (in AD). From reading online, to impersonate the end user, it seems like all I need to do is to make the SQLDriverConnect call to the ODBC driver on a thread which impersonates the end user.

If the user is already authenticated and I can get some token (TGT?) in my service, what API would I need to call in my service thread to impersonate the end user? I see ImpersonateLoggedOnUser and ImpersonateSecurityContext as likely options, but I don't really know which ones applies in my case and what specifically ticket/token I need here.

Also, I see that SetThreadToken can be an option too when the user is already authenticated. Is it?

My service is in C++ and the environment is Windows (7 or Server).

Answer 1

Without verifying this flow, you should try the following:

Prerequisite: If you want to resort to constrained delegation, you will need Java 8. No other options. Unconstrained works from Java 6.

Client SPNEGO/Kerberos => Tomcat/Server 1 ( extract delegated credential with JGSS ) => Tomcat/Server 1 obtain service ticket for next layer with delegated credential => C++ backed Server 1 (extract delegated credential with SSPI) => impersonate, etc.

Please note that you cannot call ODBC from Java but only from C/C++ so if you want to remain both on the same machine, get your service ticket for host/ and proceed with C++ and ODBC.